Love these forums, I've been reading for the past few weeks getting used to my first Mikrotik, however I'm still very much a beginner.
I've been attempting to create a home setup with VLANs using Router-Switch-AP (all in one) from viewtopic.php?t=143620
However using the following modified config, my devices are unable to get any ip address when connecting via wifi or ethernet.
Im then unable to access the router via Winbox or IP, and need to reset the router to try again.
VLAN 10 - Home
VLAN 20 - IOT
VLAN 30 - Guest
VLAN 99 - MGMT/base
Setup:
Code: Select all
#######################################
# VLAN Overview
#######################################
# 10 = HOME
# 20 = IOT
# 30 = Guest
# 99 = BASE (MGMT) VLAN
#######################################
# WIFI Setup
#
#######################################
# HOME SSID
/interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key="password"
/interface wireless set [ find default-name=wlan1 ] ssid=HOME frequency=auto mode=ap-bridge disabled=no
# IOT SSID
/interface wireless security-profiles add name=iot authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key="password"
/interface wireless add name=wlan_iot ssid=IOT master-interface=wlan1 security-profile=iot disabled=no
# Guest SSID
/interface wireless security-profiles add name=guest authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key="password"
/interface wireless add name=wlan_guest ssid=GUEST master-interface=wlan1 security-profile=guest disabled=no
# Optional: BASE SSID, admin level access to Winbox the device. Use a local ethernet port if preferred.
/interface wireless security-profiles add name=Base authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key="password"
/interface wireless add name=wlan_mgmt ssid=BASE master-interface=wlan1 security-profile=Base disabled=no
#######################################
# Bridge
#######################################
# create one bridge, set VLAN mode off while we configure
/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no
#######################################
#
# -- Access Ports --
#
#######################################
# ingress behavior
/interface bridge port
# HOME VLAN
add bridge=BR1 interface=ether2 pvid=10
add bridge=BR1 interface=ether3 pvid=10
add bridge=BR1 interface=ether4 pvid=10
add bridge=BR1 interface=ether5 pvid=10
add bridge=BR1 interface=wlan1 pvid=10
# IOT VLAN
add bridge=BR1 interface=wlan_iot pvid=20
# GUEST VLAN
add bridge=BR1 interface=wlan_guest pvid=30
# BASE_VLAN
add bridge=BR1 interface=wlan_mgmt pvid=99
# egress behavior, handled automatically
# L3 switching so Bridge must be a tagged member
/interface bridge vlan
set bridge=BR1 tagged=BR1 [find vlan-ids=10]
set bridge=BR1 tagged=BR1 [find vlan-ids=20]
set bridge=BR1 tagged=BR1 [find vlan-ids=30]
set bridge=BR1 tagged=BR1 [find vlan-ids=99]
#######################################
# IP Addressing & Routing
#######################################
# LAN facing router's IP address on the BASE_VLAN
/interface vlan add interface=BR1 name=BASE_VLAN vlan-id=99
/ip address add address=192.168.0.1/24 interface=BASE_VLAN
# DNS server, set to cache for LAN
/ip dns set allow-remote-requests=yes servers="9.9.9.9"
# Yellow WAN facing port with IP Address provided by ISP
/ip address add interface=ether1 address=192.168.0.1/24 network=192.168.0.0
#######################################
# IP Services
#######################################
# HOME VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=HOME_VLAN vlan-id=10
/ip address add interface=HOME_VLAN address=10.0.10.1/24
/ip pool add name=HOME_POOL ranges=10.0.10.2-10.0.10.254
/ip dhcp-server add address-pool=HOME_POOL interface=HOME_VLAN name=HOME_DHCP disabled=no
/ip dhcp-server network add address=10.0.10.0/24 dns-server=192.168.0.1 gateway=10.0.10.1
# IOT VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=IOT_VLAN vlan-id=20
/ip address add interface=IOT_VLAN address=10.0.20.1/24
/ip pool add name=IOT_POOL ranges=10.0.20.2-10.0.20.254
/ip dhcp-server add address-pool=IOT_POOL interface=IOT_VLAN name=IOT_DHCP disabled=no
/ip dhcp-server network add address=10.0.20.0/24 dns-server=192.168.0.1 gateway=10.0.20.1
# GUEST VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=GUEST_VLAN vlan-id=30
/ip address add interface=GUEST_VLAN address=10.0.30.1/24
/ip pool add name=GUEST_POOL ranges=10.0.30.2-10.0.30.254
/ip dhcp-server add address-pool=GUEST_POOL interface=GUEST_VLAN name=GUEST_DHCP disabled=no
/ip dhcp-server network add address=10.0.30.0/24 dns-server=192.168.0.1 gateway=10.0.30.1
# Optional: Create a DHCP instance for BASE_VLAN. Convenience feature for an admin.
/ip pool add name=BASE_POOL ranges=192.168.0.10-192.168.0.254
/ip dhcp-server add address-pool=BASE_POOL interface=BASE_VLAN name=BASE_DHCP disabled=no
/ip dhcp-server network add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
#######################################
# Firewalling & NAT
# A good firewall for WAN. Up to you
# about how you want LAN to behave.
#######################################
# Use MikroTik's "list" feature for easy rule matchmaking.
/interface list add name=WAN
/interface list add name=VLAN
/interface list add name=BASE
/interface list member
add interface=ether1 list=WAN
add interface=BASE_VLAN list=VLAN
add interface=HOME_VLAN list=VLAN
add interface=IOT_VLAN list=VLAN
add interface=GUEST_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
# VLAN aware firewall. Order is important.
/ip firewall filter
##################
# INPUT CHAIN
##################
add chain=input action=accept connection-state=established,related comment="Allow Estab & Related"
# Allow VLANs to access router services like DNS, Winbox. Naturally, you SHOULD make it more granular.
add chain=input action=accept in-interface-list=VLAN comment="Allow VLAN"
# Allow BASE_VLAN full access to the device for Winbox, etc.
add chain=input action=accept in-interface=BASE_VLAN comment="Allow Base_Vlan Full Access"
add chain=input action=drop comment="Drop"
##################
# FORWARD CHAIN
##################
add chain=forward action=accept connection-state=established,related comment="Allow Estab & Related"
# Allow all VLANs to access the Internet only, NOT each other
add chain=forward action=accept connection-state=new in-interface-list=VLAN out-interface-list=WAN comment="VLAN Internet Access only"
add chain=forward action=drop comment="Drop"
##################
# NAT
##################
/ip firewall nat add chain=srcnat action=masquerade out-interface-list=WAN comment="Default masquerade"
#######################################
# VLAN Security
#######################################
# Only allow ingress packets without tags on Access Ports
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether2]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether3]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether4]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether5]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan1]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan_iot]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan_guest]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan_mgmt]
#######################################
# MAC Server settings
#######################################
# Ensure only visibility and availability from BASE_VLAN, the MGMT network
/ip neighbor discovery-settings set discover-interface-list=BASE
/tool mac-server mac-winbox set allowed-interface-list=BASE
/tool mac-server set allowed-interface-list=BASE
#######################################
# Turn on VLAN mode
#######################################
/interface bridge set BR1 vlan-filtering=yes